Add Northeastern University tags to AWS resources

Author: loafofpiecrust

.github/workflows/main.yml

@@ -12,7 +12,8 @@ on:
 
 concurrency:
   group: infra-${{ github.ref }}
-  cancel-in-progress: true
+  # Cancelling terraform deployments will screw up terraform's own locking mechanism
+  cancel-in-progress: false
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:

terraform/auth.nix

@@ -7,6 +7,7 @@
       username_attributes = [ "email" ];
       auto_verified_attributes = [ "email" ];
       admin_create_user_config.allow_admin_create_user_only = true;
+      tags = config.setup.global_tags;
     };
 
     aws_cognito_user_pool_client.main = {

terraform/bootstrap.nix

@@ -5,9 +5,13 @@ with lib; {
       bucket = mkOption { type = str; };
       table = mkOption { type = str; };
     };
-    stage = mkOption { type = str; };
+    stage = mkOption { type = enum [ "dev" "prod" ]; };
     vpc = mkOption { type = str; };
     subnets = mkOption { type = attrsOf str; };
+    global_tags = mkOption {
+      type = attrsOf str;
+      default = { };
+    };
   };
 
   config = {
@@ -22,7 +26,7 @@ with lib; {
           sse_algorithm = "AES256";
         };
       versioning.enabled = true;
-      tags."Terraform" = "true";
+      tags = { "Terraform" = "true"; } // config.setup.global_tags;
       lifecycle.prevent_destroy = true;
     };
 
@@ -39,7 +43,7 @@ with lib; {
       tags = {
         Name = config.setup.state.table;
         BuiltBy = "Terraform";
-      };
+      } // config.setup.global_tags;
       lifecycle.prevent_destroy = true;
     };
 

terraform/database-nixos.nix

@@ -26,6 +26,14 @@ in {
         type = listOf attrs;
         default = [ ];
       };
+      instance_tags = mkOption {
+        type = attrsOf str;
+        default = { };
+      };
+      storage_tags = mkOption {
+        type = attrsOf str;
+        default = { };
+      };
     };
 
   config.resource = let
@@ -39,7 +47,9 @@ in {
           volume.iops
         else
           null;
-        tags = { Name = "dailp-${toKebabCase volume.name}"; };
+        tags = {
+          Name = "dailp-${toKebabCase volume.name}";
+        } // config.setup.global_tags // config.servers.mongodb.storage_tags;
         lifecycle.prevent_destroy = true;
       };
 
@@ -67,7 +77,10 @@ in {
                 volume_size = root_volume_size;
                 volume_type = "gp3";
               };
-              tags = { Name = "dailp-${toKebabCase name}"; };
+              tags = {
+                Name = "dailp-${toKebabCase name}";
+              } // config.setup.global_tags
+                // config.servers.mongodb.instance_tags;
               lifecycle.prevent_destroy = true;
             };
 
@@ -244,9 +257,11 @@ in {
           target_host = "\${aws_instance.${name}.public_ip}";
           ssh_agent = false;
           ssh_private_key = getEnv "AWS_SSH_KEY";
-          arguments = mkMerge ([{ primaryAddress = primaryIp; }]
-            ++ (imap0 (i: addr: { "secondary${toString i}Address" = addr; })
-              secondaryAddrs));
+          arguments = mkMerge ([{
+            hostName = config.resource.aws_instance."${name}".tags.Name;
+            primaryAddress = primaryIp;
+          }] ++ (imap0 (i: addr: { "secondary${toString i}Address" = addr; })
+            secondaryAddrs));
           # extra_eval_args = [
           #   # HACK: Force the deployment to wait for all volumes to be attached
           #   # first. This helps prevent wonky MongoDB logging errors.

terraform/functions.nix

@@ -51,6 +51,7 @@ let
             security_group_ids = config.functions.security_group_ids;
           };
           environment.variables = env;
+          tags = config.setup.global_tags // config.functions.tags;
         };
         aws_lambda_permission."${id}" = {
           statement_id = "AllowAPIGatewayInvoke";
@@ -73,6 +74,10 @@ in {
     security_group_ids = mkOption { type = listOf str; };
     package_path = mkOption { type = str; };
     functions = mkOption { type = listOf attrs; };
+    tags = mkOption {
+      type = attrsOf str;
+      default = { };
+    };
   };
 
   config.resource = mkMerge (map mkLambda config.functions.functions);

terraform/main.nix

@@ -21,6 +21,7 @@ in {
     ./database-nixos.nix
     ./auth.nix
     ./website.nix
+    ./nu-tags.nix
   ];
 
   # Gives all modules access to which stage we're deploying to, while also
@@ -35,14 +36,13 @@ in {
     version = "~> 3.44";
   };
 
-  # Setup the S3 bucket and DynamoDB table that store and manage Terraform state
-  # for the current environment.
-  setup.state = {
-    bucket = "dailp-${config.setup.stage}-terraform-state-bucket";
-    table = "dailp-${config.setup.stage}-terraform-state-locks";
-  };
-
   setup = {
+    # Setup the S3 bucket and DynamoDB table that store and manage Terraform state
+    # for the current environment.
+    state = {
+      bucket = "dailp-${config.setup.stage}-terraform-state-bucket";
+      table = "dailp-${config.setup.stage}-terraform-state-locks";
+    };
     vpc = getEnv "AWS_VPC_ID";
     subnets = {
       primary = getEnv "AWS_SUBNET_PRIMARY";

terraform/mongodb-configuration.nix

@@ -11,7 +11,8 @@
 #
 # The secondary benefit is that you guard the `nixpkgs` you use, with
 # an integrity hash.
-{ primaryAddress, secondary0Address ? null, secondary1Address ? null, ... }:
+{ hostName, primaryAddress, secondary0Address ? null, secondary1Address ? null
+, ... }:
 let
   nixpkgs = let
     rev = "cd63096d6d887d689543a0b97743d28995bc9bc3";
@@ -28,6 +29,7 @@ in import "${nixpkgs}/nixos" {
 
     ec2.hvm = true;
 
+    networking.hostName = hostName;
     # Only allow SSH and certain MongoDB ports.
     networking.firewall.allowedTCPPorts = [ 22 27017 27030 ];
 

terraform/nu-tags.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+{
+  setup.global_tags = {
+    # Placeholder values, these should be sourced from secrets.
+    "nu:account-code" = "0000000";
+    "nu:index-division" = "0000000";
+    "nu:owner" = "dsg";
+    "nu:creator" = "dailp-deployment";
+    "nu:environment" =
+      if config.setup.stage == "dev" then "library-dev" else "library-prod";
+    "nu:application" = "dailp";
+  };
+  servers.mongodb.instance_tags = {
+    "nu:function" = "database";
+    "nu:os" = "nixos";
+    "nu:backups" = "no";
+  };
+  servers.mongodb.storage_tags = {
+    "nu:function" = "database";
+    "nu:backups" = "no";
+  };
+  functions.tags = { "nu:function" = "application-server"; };
+}

terraform/website.nix

@@ -30,6 +30,7 @@ with builtins; {
       in {
         lifecycle.prevent_destroy = true;
         name = "dailp";
+        tags = config.setup.global_tags;
         description =
           "Digital Archive of American Indian Languages Preservation and Perseverance";
         repository = lib.toLower (getEnv "GIT_REPOSITORY_URL");