Merge Tags from Azure RG with new Resource

Hello Terraform Experts,

I inherited some old Terraform code for deploying resources to Azure. One of the main components that I see in most of the modules is to merge the Resource Group tags with additional tags that go on individual resources. The Resource Group tags are outputs as a map of tags. For example:

output "resource_group_tags_map" {
  value       = { for r in azurerm_resource_group.this : => r.tags }
  description = "The Map of the Resource Group Tag's."

and then a resource like vnets or key vaults or whatever merges the RG tags with additional specific tags for the new resource given the name of the RG in a variable.

# merge Resource Group tags with Tags for VNET
# this is going to break if we change RGs
locals {
  location = var.net_location
  tags     = merge(var.net_additional_tags, data.azurerm_resource_group.this.tags)

This works just fine if we can set the net_location variable for the RG. It assumes that the resource being deployed will just fit into one RG. However, this is not the case anymore and we somehow need to build in a way for any RG to be chosen when deploying a resource.

The code below shows how the original concept works.

locals {
  location                   = var.net_location 
  tags                       = merge(var.net_additional_tags, data.azurerm_resource_group.this.tags)
# - Virtual Network
# -
resource "azurerm_virtual_network" "this" {
  for_each            = var.virtual_networks
  name                = each.value["name"]
  location            = data.azurerm_resource_group.this.location #local.location
  resource_group_name = var.resource_group_name
  address_space       = each.value["address_space"]
  dns_servers         = lookup(each.value, "dns_servers", null)

  tags = local.tags

looking for help therefore to work around this. Say we create 100 vnets and each one of them goes into a different RG, we couldn’t create 100 different variables to capture that as it would become too cumbersome.

I thought of something like this, but don’t believe this will work. I think the main issue is how to use the name of the RG as a key or something to the RG outputs, but not sure.

Here is my Key Vault config in an attempt to make this work.

resource "azurerm_key_vault" "this" {
  for_each                        = var.key_vaults
  name                            = each.value["name"]
  location                        = each.value["location"]
  resource_group_name             = each.value["resource_group_name"]
  sku_name                        = each.value["sku_name"]
  access_policy                   = var.access_policies
  enabled_for_deployment          = each.value["enabled_for_deployment"]
  enabled_for_disk_encryption     = each.value["enabled_for_disk_encryption"]
  enabled_for_template_deployment = each.value["enabled_for_template_deployment"]
  enable_rbac_authorization       = each.value["enable_rbac_authorization"]
  purge_protection_enabled        = each.value["purge_protection_enabled"]
  soft_delete_retention_days      = each.value["soft_delete_retention_days"]
  tags                            = merge(each.value["tags"], WITH SOMETHING LIKE data.azurerm_resource_group[each.key]["resource_group_name"].tags)

Thanks for your input

I have updated the code and it is on my Github as some of the code above is not correct anymore.