bug: cleanup tags

hashicorp · Jun 25, 2019 · 0a49e10 · 0a49e10
1 parent 90c6232
commit 0a49e10
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 32 deletions.
diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf
@@ -13,7 +13,7 @@ terraform {
 resource "aws_instance" "example_auth_to_vault" {
   ami           = "${var.ami_id}"
   instance_type = "t2.micro"
-  subnet_id     = "${data.aws_subnet_ids.default.ids[0]}"
+  subnet_id     = tolist(data.aws_subnet_ids.default.ids)[0]
   key_name      = "${var.ssh_key_name}"
 
   # Security group that opens the necessary ports for consul
@@ -26,7 +26,7 @@ resource "aws_instance" "example_auth_to_vault" {
   user_data            = "${data.template_file.user_data_auth_client.rendered}"
   iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}"
 
-  tags {
+  tags = {
     Name = "${var.auth_server_name}"
   }
 }
@@ -74,7 +74,7 @@ module "consul_iam_policies_for_client" {
 data "template_file" "user_data_auth_client" {
   template = "${file("${path.module}/user-data-auth-client.sh")}"
 
-  vars {
+  vars = {
     consul_cluster_tag_key   = "${var.consul_cluster_tag_key}"
     consul_cluster_tag_value = "${var.consul_cluster_name}"
     example_role_name        = "${var.example_role_name}"
@@ -182,7 +182,7 @@ module "consul_iam_policies_servers" {
 data "template_file" "user_data_vault_cluster" {
   template = "${file("${path.module}/user-data-vault.sh")}"
 
-  vars {
+  vars = {
     consul_cluster_tag_key   = "${var.consul_cluster_tag_key}"
     consul_cluster_tag_value = "${var.consul_cluster_name}"
     example_role_name        = "${var.example_role_name}"
@@ -249,7 +249,7 @@ module "consul_cluster" {
 data "template_file" "user_data_consul" {
   template = "${file("${path.module}/user-data-consul.sh")}"
 
-  vars {
+  vars = {
     consul_cluster_tag_key   = "${var.consul_cluster_tag_key}"
     consul_cluster_tag_value = "${var.consul_cluster_name}"
   }

diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf
@@ -34,32 +34,40 @@ resource "aws_autoscaling_group" "autoscaling_group" {
   # And only create the cluster after S3 bucket and policies exist
   # Otherwise Vault might boot and not find the bucket or not yet have the necessary permissions
   # Not using `depends_on` because these resources might not exist
-  # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
-  # force an interpolation expression to be interpreted as a list by wrapping it
-  # in an extra set of list brackets. That form was supported for compatibilty in
-  # v0.11, but is no longer supported in Terraform v0.12.
-  #
-  # If the expression in the following list itself returns a list, remove the
-  # brackets to avoid interpretation as a list of lists. If the expression
-  # returns a single list item then leave it as-is and remove this TODO comment.
-  tags = [
-    concat(
-      [
-        {
-          "key"                     = var.cluster_tag_key
-          "value"                   = var.cluster_name
-          "propagate_at_launch"     = true
-          "using_s3_bucket_backend" = element(concat(aws_iam_role_policy.vault_s3.*.name, [""]), 0)
-          "s3_bucket_id"            = element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0)
-          "using_auto_unseal" = element(
-            concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, [""]),
-            0,
-          )
-        },
-      ],
-      var.cluster_extra_tags,
-    ),
-  ]
+  tag {
+    key                 = var.cluster_tag_key
+    value               = var.cluster_name
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "using_s3_bucket_backend"
+    value               = element(concat(aws_iam_role_policy.vault_s3.*.name, list("")), 0)
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "s3_bucket_id"
+    value               = element(concat(aws_s3_bucket.vault_storage.*.id, list("")), 0)
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "using_auto_unseal"
+    value               = element(concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, list("")), 0)
+    propagate_at_launch = true
+  }
+
+  dynamic "tag" {
+    for_each = var.cluster_extra_tags
+
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = tag.propagate_at_launch
+    }
+  }
+
 
   # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means
   # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors

diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf
@@ -104,7 +104,7 @@ variable "cluster_tag_key" {
 
 variable "cluster_extra_tags" {
   description = "A list of additional tags to add to each Instance in the ASG. Each element in the list must be a map with the keys key, value, and propagate_at_launch"
-  type        = list(string)
+  type        = list(object({ key : string, value : string, propagate_at_launch : bool }))
 
   #example:
   # default = [