Not all resources are being automatically tagged

[vwatinteg]

Hi, I'm seeing some of my resources are not being automatically tagged.
requirements.txt
pulumi==3.120.0 pulumi_kubernetes==4.13.1 pulumi_aws==6.41.0 pulumi_aws_tags>=0.9.0 pulumi_eks==2.7.6

main.py
`from pulumi_aws_tags import register_auto_tags
...
register_auto_tags({"my": "tags"})

...

class myEKSClass:
...

def create():
cluster_args = eks.ClusterArgs(
name=self.name,
...
tags={"Name": "my-cluster-name"},
)
self.eks = eks.Cluster(self.name, cluster_args)
`

I was expecting the tags to show
{ "my": "tags", "Name": "my-cluster-name"}

However I'm only seeing {"Name": "my-cluster-name"}

Is this a known issue? Am I missing something?

[tlinhart]

Hi @vwatinteg, thanks for reporting this, it's not a known issue. After a brief look I see there's also a cluster_tags argument of the resource's constructor (see here).

Let me take a deeper look into this.

[tlinhart]

The problem is twofold as I see it:

1. You are using a Cluster resource from the pulumi_eks package and not the Cluster resource from the pulumi_aws package. The former is a component resource wrapping other resources (including the later i.e. cluster from Pulumi AWS package). The way pulumi_aws_tags works is by going through the pulumi_aws package looking for resources which support the tags argument. Thus, it won't work for resources from other packages like in your case because they won't be considered as taggable.
2. On the other hand, as the component resource is wrapping the cluster from Pulumi AWS package, in theory it should create that cluster resource which is known as taggable (see here). For some reason though it's not going through the stack transformation which would assign the tags.

So, for now consider this as an unsupported use case and supply the tags manually. In the meantime I'll try to investigate a little bit more.

[tlinhart]

@vwatinteg I tried to reproduce the issue. I created this minimal Pulumi program:

import pulumi
import pulumi_eks as eks
from pulumi_aws_tags import register_auto_tags

register_auto_tags(
    {"user:Project": pulumi.get_project(), "user:Stack": pulumi.get_stack()}
)

cluster = eks.Cluster("cluster")

I also put a print statement in the stack transformation to see what resources are actually going through and thus would be tagged if taggable. Here's the result of pulumi preview:

$ pulumi preview 
Previewing update (x-pulumi-tags-dev):
     Type                                   Name                                       Plan       I
 +   pulumi:pulumi:Stack                    x-pulumi-tags-x-pulumi-tags-dev            create     5
 +   └─ eks:index:Cluster                   cluster                                    create     
 +      ├─ eks:index:RandomSuffix           cluster-cfnStackName                       create     
 +      ├─ eks:index:ServiceRole            cluster-instanceRole                       create     
 +      │  ├─ aws:iam:Role                  cluster-instanceRole-role                  create     
 +      │  ├─ aws:iam:RolePolicyAttachment  cluster-instanceRole-3eb088f2              create     
 +      │  ├─ aws:iam:RolePolicyAttachment  cluster-instanceRole-03516f97              create     
 +      │  └─ aws:iam:RolePolicyAttachment  cluster-instanceRole-e1b295bd              create     
 +      ├─ eks:index:ServiceRole            cluster-eksRole                            create     
 +      │  ├─ aws:iam:Role                  cluster-eksRole-role                       create     
 +      │  └─ aws:iam:RolePolicyAttachment  cluster-eksRole-4b490823                   create     
 +      ├─ aws:iam:InstanceProfile          cluster-instanceProfile                    create     
 +      ├─ aws:ec2:SecurityGroup            cluster-eksClusterSecurityGroup            create     
 +      ├─ aws:ec2:SecurityGroupRule        cluster-eksClusterInternetEgressRule       create     
 +      ├─ aws:eks:Cluster                  cluster-eksCluster                         create     
 +      ├─ pulumi:providers:kubernetes      cluster-eks-k8s                            create     
 +      ├─ aws:ec2:SecurityGroup            cluster-nodeSecurityGroup                  create     
 +      ├─ kubernetes:core/v1:ConfigMap     cluster-nodeAccess                         create     
 +      ├─ aws:ec2:SecurityGroupRule        cluster-eksExtApiServerClusterIngressRule  create     
 +      ├─ aws:ec2:SecurityGroupRule        cluster-eksNodeIngressRule                 create     
 +      ├─ aws:ec2:SecurityGroupRule        cluster-eksNodeInternetEgressRule          create     
 +      ├─ aws:ec2:SecurityGroupRule        cluster-eksClusterIngressRule              create     
 +      ├─ aws:ec2:SecurityGroupRule        cluster-eksNodeClusterIngressRule          create     
 +      ├─ eks:index:VpcCni                 cluster-vpc-cni                            create     
 +      ├─ aws:ec2:LaunchConfiguration      cluster-nodeLaunchConfiguration            create     
 +      ├─ aws:cloudformation:Stack         cluster-nodes                              create     
 +      └─ pulumi:providers:kubernetes      cluster-provider                           create     

Diagnostics:
  pulumi:pulumi:Stack (x-pulumi-tags-x-pulumi-tags-dev):
    eks:index:Cluster
    aws:eks/cluster:Cluster
    aws:ec2/securityGroup:SecurityGroup
    aws:ec2/securityGroupRule:SecurityGroupRule
    aws:ec2/securityGroup:SecurityGroup

Resources:
    + 27 to create

From these aws:eks/cluster:Cluster and aws:ec2/securityGroup:SecurityGroup are taggable, so you actually should see the autotags for these resources. Could you please describe in more detail where you see the problem and maybe post the whole Pulumi program?

[vwatinteg]

@tlinhart Thanks for the sample, and kind of makes sense. I don't have a full sample right now and I'll try to work on that. From what I've noticed, the cluster and the EC2 instances/launch templates didn't have the 'global tags' and from the list of what should have tags, makes sense.

[tlinhart]

Hmm, as I already posted, the EKS cluster should be tagged correctly. However, after reading the docs, there are some restrictions:

• Seems that the tags are created only while creating the resource. Don't know if that's your case or not.
• Tags do not propagate to other resources associated with the cluster, e.g. EC2 instances. There's also an open issue for that.

[vwatinteg]

This is a new creation case, not update. But good to know since I would have that use case too.

[tlinhart]

I think this is the same issue as with e.g. AWS Batch on AWS Fargate. You create a compute environment which implicitely creates an ECS cluster, but that won't be tagged. To actually tag it you have to manage a Tag resource like this:

aws.ecs.Tag(
    "user-project-tag",
    resource_arn=compute_environment.ecs_cluster_arn,
    key="user:Project",
    value=pulumi.get_project(),
)

And the same applies to e.g. EC2 instances in your case, that's why the aws.ec2.Tag resource exists.

[tlinhart]

If you provide an example that should work but doesn't (e.g. aws:eks/cluster:Cluster resource not being tagged) I'll have a look at it. Otherwise, I'll close the issue in a while as it falls outside supported use cases.

[vwatinteg]

Would I be able to re-open this or I would need to create a new ticket? Can you keep it open for a day and if I can't get the sample just close it.

[tlinhart]

Sure I'll leave it open for some time 👍

[vwatinteg]

@tlinhart I have double checked and I was expecting EC2 instances to be tagged but the are not part of this code and the pulumi_eks cluster does not actually create ec2 instances, they use the launch template. So I think you can close this, besides the cluster actually not being tagged.

Thank you!

[tlinhart]

I tried it in the wild and can confirm that the EKS cluster ending without autotags which I consider a bug. At the moment I don't know if there's something that we can do about it i.e. if it's something inherent to how component resources and stack transformations work in general. Will try to ask Pulumi. I'll leave the issue opened for now.

[tlinhart]

@vwatinteg I've been doing some more tests to see if the current approach works in general for component resources and it does. However, I found this by chance:

Note that Transformations will be deprecated in the future in favor of Transforms.

Transforms support modifying child resources of packaged components (such as those in awsx and eks) whereas Transformations do not.

See Migrating from Transformations to Transforms below for guidance on how to migrate from Transformations to Transforms.

I'll get into it and try to migrate from transformation to transform to see if it helps. If it does, I'll probably release a new (major) version.