Module resources not inheriting default_tags from AWS provider.

[ghost]

Description

Setting default_tags in a provider block does not percolate down to resources created by the module.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Terraform v0.15.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.45.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.3.2
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1
 - Module: terraform-aws-eks?

Reproduction

Steps to reproduce the behavior:
Set a locals with a base_tags variable:

locals {
  base_tags = {
    environment = "foo"
    owner       = "[email protected]"
  }
}

Apply default_tags to the aws provider:

terraform {
  required_version = "~> 0.14"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.45.0"
    }
  }
  backend "s3" {
    encrypt = true
  }
}

terraform apply

Observe no tags applied to the resources (such as AWS EC2 Autoscaling groups

Code Snippet to Reproduce

  source                      = "terraform-aws-modules/eks/aws"
  cluster_name                = "widget-${var.environment}"
  cluster_version             = "1.18"
  subnets                     = var.private_subnets
  vpc_id                      = var.vpc_id
  cluster_enabled_log_types   = local.cluster_enabled_log_types
  manage_aws_auth             = true
  write_kubeconfig            = true
  kubeconfig_output_path      = "./"
  workers_additional_policies = ["arn:aws:iam::123456789012:policy/foobar"]
  map_users                   = var.user_permissions
  tags                        = local.base_tags

  worker_groups = [
    {
      name                 = "worker-group-1"
      instance_type        = var.instance_type
      asg_desired_capacity = 1
      asg_max_size         = 4
      asg_min_size         = 1
      disk_size            = 80
    },
    {
      name                 = "worker-group-2"
      instance_type        = var.instance_type
      asg_desired_capacity = 1
      asg_max_size         = 4
      asg_min_size         = 1
      disk_size            = 80
    },
  ]
}

Expected behavior

Tags applied to resources created by the module

Actual behavior

No tags applied to resources created by the module

Additional context

Its also worth noting that default_tags in the provider also conflict with setting tags in the module itself. I get a complaint about de-duplicating tags. This would not be a big deal if I did not need to create other AWS resources outside of this module.

[ghost]

I recognize that this is a known issue with the default tagging as documented (https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider) but the issue I have is that I cannot do both. I can't set it in tags in the module and default_tags for resources not managed by said module.

[gavinclarkeuk]

Seeing the same issue - I'm guessing it is related to the fix for #860

My understanding is that out of the box EKS's ASGs don't propagate tags correctly, so the fix for the above applies a specific workaround directly to the ASG. The workaround isn't looking at the default tags, just the tags passed to the module. Presumably needs to do some combination of the two - perhaps by using tags_all from some appropriate parent object?

[aidan-mundy]

This seems solvable via the use of launch templates. I would like avoid manually managing my launch template, but the module should be able to pull in tags and add them to the launch template. It may require some more advanced configuration because launch templates can specify which tags are applied to different resources used by the instance.

[bryantbiggs]

FYI - this does not have anything to do with the module, it is purely controlled within the upstream AWS provider. we can leave this open but there won't be anything we can do here when it comes to default_tags on ASGs

ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags

This functionality is supported in all resources that implement tags, with the exception of the aws_autoscaling_group resource

[bryantbiggs]

looks like this new release could offer a resolution hashicorp/terraform-provider-aws#20009

[balonik]

Another issue is tagging volumes created by Launch Template. Since ASGs can propagate tags only to instances, volumes are left out. Currently there is no way to specify extra tags for volumes in aws_launch_template in this module. This module only merges input tags for volumes in aws_launch_template.
If I have a set of tags configured in AWS provider's default_tags I cannot set them in module's input tags, because I will get a conflict since the input tags is used everywhere. But if I don't specify them all my volumes created by Launch Template will not be tagged anymore.
There could be some additional input to specify tags for Launch Template volumes, maybe? Until ASGs can propagate tags to volumes.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity since being marked as stale.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.