SecurityGroups: ensure owned security groups are tagged

2018-03-24 20:24:12 -04:00 · 2018-03-24 20:24:12 -04:00 · 12873d3868
parent ebdf284418
commit 12873d3868
5 changed files with 12 additions and 7 deletions
--- a/pkg/model/awsmodel/api_loadbalancer.go
+++ b/pkg/model/awsmodel/api_loadbalancer.go
@ -151,6 +151,7 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 			Description:      s("Security group for api ELB"),
 			RemoveExtraRules: []string{"port=443"},
 		}
+		t.Tags = b.CloudTags(*t.Name, false)
 		c.AddTask(t)
 	}

--- a/pkg/model/bastion.go
+++ b/pkg/model/bastion.go
@ -64,6 +64,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Description:      s("Security group for bastion"),
 			RemoveExtraRules: []string{"port=22"},
 		}
+		t.Tags = b.CloudTags(*t.Name, false)
 		c.AddTask(t)
 	}

@ -136,6 +137,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 			Description:      s("Security group for bastion ELB"),
 			RemoveExtraRules: []string{"port=22"},
 		}
+		t.Tags = b.CloudTags(*t.Name, false)
 		c.AddTask(t)
 	}

--- a/pkg/model/firewall.go
+++ b/pkg/model/firewall.go
@ -60,6 +60,7 @@ func (b *FirewallModelBuilder) buildNodeRules(c *fi.ModelBuilderContext) error {
 			Description:      s("Security group for nodes"),
 			RemoveExtraRules: []string{"port=22"},
 		}
+		t.Tags = b.CloudTags(*t.Name, false)
 		c.AddTask(t)
 	}

@ -333,6 +334,7 @@ func (b *FirewallModelBuilder) buildMasterRules(c *fi.ModelBuilderContext) error
 				// TODO: Protocol 4 for calico
 			},
 		}
+		t.Tags = b.CloudTags(*t.Name, false)
 		c.AddTask(t)
 	}

--- a/upup/pkg/fi/cloudup/awstasks/securitygroup.go
+++ b/upup/pkg/fi/cloudup/awstasks/securitygroup.go
@ -43,6 +43,8 @@ type SecurityGroup struct {

 	// Shared is set if this is a shared security group (one we don't create or own)
 	Shared *bool
+
+	Tags map[string]string
 }

 var _ fi.CompareWithID = &SecurityGroup{}
@ -74,6 +76,7 @@ func (e *SecurityGroup) Find(c *fi.Context) (*SecurityGroup, error) {
 		Name:        sg.GroupName,
 		Description: sg.Description,
 		VPC:         &VPC{ID: sg.VpcId},
+		Tags:        intersectTags(sg.Tags, e.Tags),
 	}

 	glog.V(2).Infof("found matching SecurityGroup %q", *actual.ID)
@ -180,7 +183,7 @@ func (_ *SecurityGroup) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *Security
 		e.ID = response.GroupId
 	}

-	return t.AddAWSTags(*e.ID, t.Cloud.BuildTags(e.Name))
+	return t.AddAWSTags(*e.ID, e.Tags)
 }

 type terraformSecurityGroup struct {
@ -191,8 +194,6 @@ type terraformSecurityGroup struct {
 }

 func (_ *SecurityGroup) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *SecurityGroup) error {
-	cloud := t.Cloud.(awsup.AWSCloud)
-
 	shared := fi.BoolValue(e.Shared)
 	if shared {
 		// Not terraform owned / managed
@ -203,7 +204,7 @@ func (_ *SecurityGroup) RenderTerraform(t *terraform.TerraformTarget, a, e, chan
 		Name:        e.Name,
 		VPCID:       e.VPC.TerraformLink(),
 		Description: e.Description,
-		Tags:        cloud.BuildTags(e.Name),
+		Tags:        e.Tags,
 	}

 	return t.RenderResource("aws_security_group", *e.Name, tf)
@ -237,13 +238,11 @@ func (_ *SecurityGroup) RenderCloudformation(t *cloudformation.CloudformationTar
 		return nil
 	}

-	cloud := t.Cloud.(awsup.AWSCloud)
-
 	tf := &cloudformationSecurityGroup{
 		//Name:        e.Name,
 		VpcId:       e.VPC.CloudformationLink(),
 		Description: e.Description,
-		Tags:        buildCloudformationTags(cloud.BuildTags(e.Name)),
+		Tags:        buildCloudformationTags(e.Tags),
 	}

 	return t.RenderResource("AWS::EC2::SecurityGroup", *e.Name, tf)
--- a/upup/pkg/fi/cloudup/awstasks/securitygroup_test.go
+++ b/upup/pkg/fi/cloudup/awstasks/securitygroup_test.go
@ -109,6 +109,7 @@ func TestSecurityGroupCreate(t *testing.T) {
 			Name:        s("sg1"),
 			Description: s("Description"),
 			VPC:         vpc1,
+			Tags:        map[string]string{"Name": "sg1"},
 		}

 		return map[string]fi.Task{