From 5df581288c8703a9b295ab5c17ab47f54ac6b2c4 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 21 Oct 2025 20:02:33 -0400
Subject: [PATCH] remove tags as they are handled at the provider

---
 additional_sg_rules.tf |  8 ++++++++
 cluster-admin.tf       |  6 ------
 irsa-roles.tf          |  4 ----
 main.tf                | 18 +++++-------------
 4 files changed, 13 insertions(+), 23 deletions(-)

diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf
index 112b7b4..b93a8bf 100644
--- a/additional_sg_rules.tf
+++ b/additional_sg_rules.tf
@@ -25,5 +25,13 @@ locals {
       to_port                       = 10251
       type                          = "ingress"
     }
+    ingress_cert_manager_webhook = {
+      description                   = "Cert Manager webhook"
+      from_port                     = 9402
+      protocol                      = "tcp"
+      source_cluster_security_group = true
+      to_port                       = 9402
+      type                          = "ingress"
+    }
   }
 }
diff --git a/cluster-admin.tf b/cluster-admin.tf
index 1f82da3..322c734 100644
--- a/cluster-admin.tf
+++ b/cluster-admin.tf
@@ -83,7 +83,6 @@ resource "aws_iam_role" "role_cluster-admin" {
 
   assume_role_policy    = data.aws_iam_policy_document.allow_sts.json
   force_detach_policies = true
-  tags                  = var.tags
 }
 
 resource "aws_iam_policy_attachment" "cluster-admin-attach" {
@@ -100,11 +99,6 @@ resource "aws_iam_policy" "cluster-admin-policy" {
   path        = "/"
   description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources"
   policy      = data.aws_iam_policy_document.cluster-admin-policy.json
-
-  tags = merge(
-    local.base_tags,
-    var.tags
-  )
 }
 
 data "aws_iam_policy_document" "cluster-admin-policy" {
diff --git a/irsa-roles.tf b/irsa-roles.tf
index 9d06500..f3e20b7 100644
--- a/irsa-roles.tf
+++ b/irsa-roles.tf
@@ -14,7 +14,6 @@ module "vpc_cni_irsa_role" {
       namespace_service_accounts = ["kube-system:aws-node"]
     }
   }
-  tags = local.tags
 }
 
 module "ebs_csi_irsa_role" {
@@ -31,7 +30,6 @@ module "ebs_csi_irsa_role" {
       namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
     }
   }
-  tags = local.tags
 }
 
 module "efs_csi_irsa_role" {
@@ -48,7 +46,6 @@ module "efs_csi_irsa_role" {
       namespace_service_accounts = ["kube-system:efs-csi-controller-sa"]
     }
   }
-  tags = local.tags
 }
 
 module "cloudwatch_observability_irsa_role" {
@@ -67,5 +64,4 @@ module "cloudwatch_observability_irsa_role" {
       ]
     }
   }
-  tags = local.tags
 }
diff --git a/main.tf b/main.tf
index 0aea351..9392b05 100644
--- a/main.tf
+++ b/main.tf
@@ -1,17 +1,10 @@
 locals {
   additional_policies = {}
-  base_tags = {
-    "boc:eks_cluster_name"   = var.cluster_name
-    "boc:tf_module_name"     = local.module_name
-    "boc:tf_module_version"  = local.module_version
-    "karpenter.sh/discovery" = var.cluster_name
-  }
-  max_tag_count  = 45
-  ng_name        = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
-  subnets        = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
-  tags           = merge(local.base_tags, var.tags)
-  vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block
-  vpc_id         = data.aws_vpc.eks_vpc.id
+  max_tag_count       = 45
+  ng_name             = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
+  subnets             = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
+  vpc_cidr_block      = data.aws_vpc.eks_vpc.cidr_block
+  vpc_id              = data.aws_vpc.eks_vpc.id
 }
 
 resource "terraform_data" "subnet_validation" {
@@ -129,7 +122,6 @@ module "cluster" {
       }
     }
   }
-  tags = local.tags
 }
 
 # Tag existing subnets for EKS