From ad0910b7b68836f754d2c76be7c5432f9fabd0a8 Mon Sep 17 00:00:00 2001
From: Liam Nesteroff <35284740+lnesteroff@users.noreply.github.com>
Date: Fri, 20 Jun 2025 19:50:58 +1000
Subject: [PATCH] Fixed hard-coded resource management tags (!var.tag_names)
 (#3180)

* fixed var.tag_names ignores

* added some more missed var.tag_values

* fixed exp intended as ref

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 fast/stages/1-resman/organization.tf | 24 ++++++++++++------------
 fast/stages/1-resman/stage-2.tf      |  4 ++--
 fast/stages/1-resman/stage-3.tf      |  2 +-
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/fast/stages/1-resman/organization.tf b/fast/stages/1-resman/organization.tf
index 1ab162223..a72ca8836 100644
--- a/fast/stages/1-resman/organization.tf
+++ b/fast/stages/1-resman/organization.tf
@@ -28,15 +28,15 @@ locals {
     # top-level folders
     {
       for k, v in local.top_level_folders : k => {
-        iam         = try(local.tags.context.values.iam[k], {})
-        description = try(local.tags.context.values.description[k], null)
+        iam         = try(local.tags[var.tag_names.context].values.iam[k], {})
+        description = try(local.tags[var.tag_names.context].values.description[k], null)
       } if v.is_fast_context == true
     },
     # stage 2s
     {
       for k, v in local._context_tag_values_stage2 : v => {
-        iam         = try(local.tags.context.values.iam[v], {})
-        description = try(local.tags.context.values.description[v], null)
+        iam         = try(local.tags[var.tag_names.context].values.iam[v], {})
+        description = try(local.tags[var.tag_names.context].values.description[v], null)
       }
     },
     # stage 3 define no context as they attach to a top-level folder
@@ -46,21 +46,21 @@ locals {
     for k, v in var.environments : v.tag_name => {
       iam = merge(
         # user-defined configuration
-        try(local.tags.environment.values[v.tag_name].iam, {}),
+        try(local.tags[var.tag_names.environment].values[v.tag_name].iam, {}),
         # stage 2 service accounts
         {
           "roles/resourcemanager.tagUser" = distinct(concat(
-            try(local.tags.environment.values[v.tag_name].iam["roles/resourcemanager.tagUser"], []),
+            try(local.tags[var.tag_names.environment].values[v.tag_name].iam["roles/resourcemanager.tagUser"], []),
             [for k, v in module.stage2-sa-rw : v.iam_email]
           ))
           "roles/resourcemanager.tagViewer" = distinct(concat(
-            try(local.tags.environment.values[v.tag_name].iam["roles/resourcemanager.tagViewer"], []),
+            try(local.tags[var.tag_names.environment].values[v.tag_name].iam["roles/resourcemanager.tagViewer"], []),
             [for k, v in module.stage2-sa-ro : v.iam_email]
           ))
         }
       )
       description = try(
-        local.tags.environment.values[v.tag_name].description, null
+        local.tags[var.tag_names.environment].values[v.tag_name].description, null
       )
     }
   }
@@ -121,13 +121,13 @@ module "organization" {
   # they are managed authoritatively and will break multitenant stages
   tags = merge(local.tags, {
     (var.tag_names.context) = {
-      description = "Resource management context."
-      iam         = try(local.tags.context.iam, {})
+      description = try(local.tags[var.tag_names.context].description, "Resource management context.")
+      iam         = try(local.tags[var.tag_names.context].iam, {})
       values      = local.context_tag_values
     },
     (var.tag_names.environment) = {
-      description = "Environment definition."
-      iam         = try(local.tags.environment.iam, {})
+      description = try(local.tags[var.tag_names.environment].description, "Environment definition.")
+      iam         = try(local.tags[var.tag_names.environment].iam, {})
       values      = local.environment_tag_values
     }
   })
diff --git a/fast/stages/1-resman/stage-2.tf b/fast/stages/1-resman/stage-2.tf
index afcac67f4..d3e1d6881 100644
--- a/fast/stages/1-resman/stage-2.tf
+++ b/fast/stages/1-resman/stage-2.tf
@@ -196,7 +196,7 @@ module "stage2-folder" {
   }
   org_policies = each.value.folder_config.org_policies
   tag_bindings = merge({
-    context = local.tag_values["context/${each.key}"].id
+    (var.tag_names.context) = local.tag_values["${var.tag_names.context}/${each.key}"].id
     }, {
     for k, v in each.value.folder_config.tag_bindings : k => try(
       local.tag_values[v].id, v
@@ -213,7 +213,7 @@ module "stage2-folder-env" {
   parent   = module.stage2-folder[each.value.stage].id
   name     = each.value.name
   tag_bindings = {
-    environment = try(
+    (var.tag_names.environment) = try(
       local.tag_values["${var.tag_names.environment}/${each.value.tag_name}"].id,
       null
     )
diff --git a/fast/stages/1-resman/stage-3.tf b/fast/stages/1-resman/stage-3.tf
index f96945301..7fb3bb596 100644
--- a/fast/stages/1-resman/stage-3.tf
+++ b/fast/stages/1-resman/stage-3.tf
@@ -152,7 +152,7 @@ module "stage3-folder" {
   org_policies      = each.value.folder_config.org_policies
   tag_bindings = merge(
     {
-      environment = local.tag_values["environment/${var.environments[each.value.environment].tag_name}"].id
+      (var.tag_names.environment) = local.tag_values["${var.tag_names.environment}/${var.environments[each.value.environment].tag_name}"].id
     },
     {
       for k, v in each.value.folder_config.tag_bindings : k => try(