Let sub-account-users have full access to ALL tags

[veqryn]

Using version 1.1.2 of terraform, and 2.1.3 of upcloud provider.

I created an account yesterday to try upcloud out.
I tried to create the following resource in terraform:

resource "upcloud_server" "something01" {
  title    = "something01"
  hostname = "something01"
  zone     = "us-chi1"
  plan     = "1xCPU-1GB"
  metadata = false

  template {
    storage = "Ubuntu Server 20.04 LTS (Focal Fossa)"
    size    = 25
  }

  network_interface {
    type = "public"
  }

  login {
    create_password = false
    keys = [var.ssh_key_public]
  }
}

This resulted in the following error message:

Plan: 1 to add, 0 to change, 0 to destroy.

upcloud_server.something01: Creating...
│ Error: The requested action is forbidden. (ACTION_FORBIDDEN)
│
│   with upcloud_server.something01,
│   on main.tf line 5, in resource "upcloud_server" "something01":
│    5: resource "upcloud_server" "something01" {

I'm not sure why I got an error, as I do have permission and had previously created a similar server in the web console, before deleting it.

However, I saw in the upcloud web console that the server was created.

Running "terraform apply" a second time, showed that the resource was going to be replaced:

Terraform detected the following changes made outside of Terraform since the last "terraform apply":
  # upcloud_server.something01 has changed
  ~ resource "upcloud_server" "something01" {
      + cpu      = 1
      ~ firewall = false -> true
        id       = "0067975d-6122-49a0-82a2-612fdb930663"
      + mem      = 1024

      ~ network_interface {
          + ip_address          = "209.50.50.51"
          + mac_address         = "3a:53:e7:32:2d:ce"
          + network             = "03000000-0000-4000-8021-000000000000"
        }

      + storage_devices {
          + address = "virtio"
          + storage = "013388e6-58fa-4702-8bc6-f20610bf868a"
          + type    = "disk"
        }
    }

Terraform will perform the following actions:

  # upcloud_server.something01 is tainted, so must be replaced
-/+ resource "upcloud_server" "something01" {
      ~ cpu      = 1 -> (known after apply)
      - firewall = true -> null
      ~ id       = "0067975d-6122-49a0-82a2-612fdb930663" -> (known after apply)
      ~ mem      = 1024 -> (known after apply)

      ~ network_interface {
          ~ ip_address          = "209.50.50.51" -> (known after apply)
          ~ ip_address_floating = false -> (known after apply)
          ~ mac_address         = "3a:53:e7:32:2d:ce" -> (known after apply)
          ~ network             = "03000000-0000-4000-8021-000000000000" -> (known after apply)
        }

      - storage_devices {
          - address = "virtio" -> null
          - storage = "013388e6-58fa-4702-8bc6-f20610bf868a" -> null
          - type    = "disk" -> null
        }

      ~ template {
          + address = (known after apply)
          + id      = (known after apply)
          + tier    = (known after apply)
          ~ title   = "terraform-something01-disk" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

So I decided to delete it and start over:

$ terraform_1_1 apply --target=upcloud_server.something01 --destroy
...
upcloud_server.something01: Destroying... [id=0067975d-6122-49a0-82a2-612fdb930663]
upcloud_server.something01: Still destroying... [id=0067975d-6122-49a0-82a2-612fdb930663, 10s elapsed]
upcloud_server.something01: Still destroying... [id=0067975d-6122-49a0-82a2-612fdb930663, 20s elapsed]
│ Error: The request method DELETE is not supported by the resource. (METHOD_NOT_ALLOWED)

Deleting gave the above error message, but it DID delete the server from the web console.
It did NOT delete the storage device that was previously attached to it though.

Anyway, I now decided to try refreshing so that I could retry the creation:

$ terraform_1_1 plan
upcloud_server.something01: Refreshing state... [id=0067975d-6122-49a0-82a2-612fdb930663]
│ Error: The server 0067975d-6122-49a0-82a2-612fdb930663 does not exist. (SERVER_NOT_FOUND)
│
│   with upcloud_server.something01,
│   on main.tf line 5, in resource "upcloud_server" "something01":
│    5: resource "upcloud_server" "something01" {

And now terraform is stuck, with no way to move on.
Yes, I can manually edit the terraform state file, but you really aren't supposed to do that, and this provider needs to be fixed to not get into a bad state like this, and be able to recover if it does.

So the bugs I encountered are:

1. Creating a resource failed in terraform, even though the resource was actually created, giving a ACTION_FORBIDDEN error.
2. Re-running plan/apply on a created resource showed that it must be replaced, even though it was just created to the stated specs: upcloud_server.something01 is tainted, so must be replaced
3. This provider failed to fully destroy a simple server resource, leaving the storage behind. If this is intended, it should be documented and have a flag or something in the terraform resource to allow a full deletion when a separate storage resource is not defined in terraform.
4. This provider failed when deleting a simple server resoruce, giving a METHOD_NOT_ALLOWED error.
5. This provider failed to properly update terraform state after destroying a resource.
6. Attempting to refresh/plan/apply becomes impossible after this provider fails at deleting a resource, giving a SERVER_NOT_FOUND error.

[veqryn]

Re-running the above with TF_LOG=TRACE
Gives the following for the creation:

...
2021-12-28T23:11:58.432-0700 [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/upcloudltd/upcloud\"]" changed the config value, but that value is unused
...
2021-12-28T23:11:58.981-0700 [WARN]  Provider "registry.terraform.io/upcloudltd/upcloud" produced an invalid plan for upcloud_server.something01, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .network_interface[0].source_ip_filtering: planned value cty.True for a non-computed attribute
      - .network_interface[0].bootable: planned value cty.False for a non-computed attribute
      - .network_interface[0].ip_address_family: planned value cty.StringVal("IPv4") for a non-computed attribute
...
upcloud_server.something01: Creating...
2021-12-28T23:12:02.704-0700 [INFO]  Starting apply for upcloud_server.something01
2021-12-28T23:12:02.704-0700 [DEBUG] upcloud_server.something01: applying the planned Create change
2021-12-28T23:12:02.704-0700 [TRACE] GRPCProvider: ApplyResourceChange
2021-12-28T23:12:07.091-0700 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/upcloudltd/upcloud\"] (close)"
2021-12-28T23:12:07.091-0700 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/upcloudltd/upcloud\"] (close)" is waiting for "upcloud_server.something01"
2021-12-28T23:12:08.344-0700 [INFO]  provider.terraform-provider-upcloud_v2.1.3: 2021/12/28 23:12:08 [INFO] Server something01 with UUID 00a324f2-44a3-4036-9d4d-e3bcad397f3d created: timestamp=2021-12-28T23:12:08.344-0700
2021-12-28T23:12:08.673-0700 [TRACE] maybeTainted: upcloud_server.something01 encountered an error during creation, so it is now marked as tainted
2021-12-28T23:12:08.673-0700 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for upcloud_server.something01
2021-12-28T23:12:08.673-0700 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for upcloud_server.something01
2021-12-28T23:12:08.673-0700 [TRACE] evalApplyProvisioners: upcloud_server.something01 is tainted, so skipping provisioning
2021-12-28T23:12:08.673-0700 [TRACE] maybeTainted: upcloud_server.something01 was already tainted, so nothing to do
2021-12-28T23:12:08.673-0700 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for upcloud_server.something01
2021-12-28T23:12:08.673-0700 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for upcloud_server.something01
2021-12-28T23:12:08.674-0700 [TRACE] statemgr.Filesystem: creating backup snapshot at terraform.tfstate.backup
2021-12-28T23:12:08.678-0700 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 11
2021-12-28T23:12:08.678-0700 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2021-12-28T23:12:08.681-0700 [ERROR] vertex "upcloud_server.something01" error: The requested action is forbidden. (ACTION_FORBIDDEN)
2021-12-28T23:12:08.681-0700 [TRACE] vertex "upcloud_server.something01": visit complete, with errors
2021-12-28T23:12:08.682-0700 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/upcloudltd/upcloud\"] (close)" errored, so skipping
2021-12-28T23:12:08.682-0700 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021-12-28T23:12:08.682-0700 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2021-12-28T23:12:08.683-0700 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 12
2021-12-28T23:12:08.683-0700 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
╷
│ Error: The requested action is forbidden. (ACTION_FORBIDDEN)
│
│   with upcloud_server.something01,
│   on main.tf line 5, in resource "upcloud_server" "something01":
│    5: resource "upcloud_server" "something01" {
│
╵
2021-12-28T23:12:08.684-0700 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2021-12-28T23:12:08.685-0700 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2021-12-28T23:12:08.687-0700 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-12-28T23:12:08.688-0700 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/upcloudltd/upcloud/2.1.3/linux_amd64/terraform-provider-upcloud_v2.1.3 pid=7644
2021-12-28T23:12:08.688-0700 [DEBUG] provider: plugin exited

[Darep]

Thanks for the comprehensive and detailed report! I tried to replicate this with Terraform 1.1.2 and upcloud provider at 2.1.3 locally, but things work fine on my computer. Seems like there's some fundamental problem here causing all of the commands to error 🤔

As you created the account yesterday, is your account still on the free trial? And are you using a subaccount to run Terraform?

Snippets from my console below:

~ # terraform version
Terraform v1.1.2
on linux_amd64
+ provider registry.terraform.io/upcloudltd/upcloud v2.1.3

~ # UPCLOUD_USERNAME=<secret> UPCLOUD_PASSWORD=<secret> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # upcloud_server.something01 will be created
  + resource "upcloud_server" "something01" {
[...]
upcloud_server.something01: Creation complete after 40s [id=00666069-aa4f-465a-9c86-fc269ff2fb4e]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

[veqryn]

My understanding is that there is no way to run any of this without creating a sub-account, because API access is not permitted to the main account. I did create a sub-account, and confirmed that the API works, and that the sub-account has both access to the API and access to all servers, all storage, all network. (Also note that the creation of the resources did succeed, it just failed to update terraform properly, so clearly the access is not the problem.)
Yes, I am still on the free trial.

[Darep]

Cheers! The free trial has some interesting restrictions (for example limited amount of CPU cores and storage) so my suspicion is that it's causing the multitude of permission errors here. Just a guess though, could be something else as well, especially as I just created a new trial account and ran terraform apply for something01.tf and it worked fine for me (again) 😅 Though running apply again gives error seen below* (trial users cannot disable the firewall)

You can actually use the main account if you do not enable 2FA & enable the API access in the Hub via the Account-page (top right). But UpCloud recommends you to have 2FA enabled on the main account, so subaccount is the way to go for now 😊

*)

upcloud_server.something01: Modifying... [id=0089679d-39c5-4e74-8fa4-e3274143acd9]
╷
│ Error: Trial mode firewall cannot be disabled. (TRIAL_FIREWALL)
│ 
│   with upcloud_server.something01,
│   on something01.tf line 15, in resource "upcloud_server" "something01":
│   15: resource "upcloud_server" "something01" {
│ 
╵

[veqryn]

Will try paying and see if the errors continue.

[Darep]

Let me know how it goes! I've now tried a good number of different configurations that I could think of, but cannot replicate the errors unfortunately, even with a fresh trial account. I have a fear there is some small, hard-to-spot/hard-to-realize thing somewhere causing this.

[veqryn]

Took a while to become paid. Anyway, I'm still getting all the same errors.

Here is my current configuration:

terraform {
  required_version = ">= 1.1.2"

  required_providers {
    upcloud = {
      source  = "UpCloudLtd/upcloud"
      version = ">= 2.1.3"
    }
  }
}

provider "upcloud" {
  username = var.upcloud_username
  password = var.upcloud_password
}

resource "upcloud_storage" "something01" {
  title = "something01"
  zone  = "us-chi1"
  size  = 25
  tier  = "maxiops"
}

resource "upcloud_server" "something01" {
  title    = "something01"
  hostname = "something01"
  zone     = "us-chi1"
  plan     = "1xCPU-1GB"
  metadata = true
  firewall = false

  template {
    storage = "Ubuntu Server 20.04 LTS (Focal Fossa)"
    size    = 25
    address = "virtio"
  }

  storage_devices {
    type = "disk"
    address = "virtio"
    storage = upcloud_storage.something01.id
  }

  network_interface {
    type                = "public"
    ip_address_family   = "IPv4"
    bootable            = false
    source_ip_filtering = true
  }

  network_interface {
    type                = "public"
    ip_address_family   = "IPv6"
    bootable            = false
    source_ip_filtering = true
  }

  network_interface {
    type                = "utility"
    ip_address_family   = "IPv4"
    bootable            = false
    source_ip_filtering = true
  }

  login {
    create_password = false
    keys            = [var.ssh_key_public]
  }
}

Can you please post a full working complete and self-contained simple example of both a storage and server resource, based off of Ubuntu 20.04 (just one disk/storage please, not two), with both ipv4 and ipv6, please?

Also, separately, how to create a storage clone of a public template (ie: Ubuntu 20.04)? I get error: Cloning of public templates is not allowed. (STORAGE_TYPE_ILLEGAL) when I use clone { id = "01000000-0000-4000-8000-000030200200" }

[Darep]

Your current configuration looks completely fine. I just ran it using my test account and it works for me. Here is the full transcript from my console:

Click to open transcript

~ # cat something01.tf 
terraform {
  required_providers {
    upcloud = {
      source = "UpCloudLtd/upcloud"
      version = "2.1.3"
    }
  }
}

variable "ssh_key_public" {
  type = string
  default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEldJlXojPrCK17MZK94hJam2Nhjwuj2wdFpZpqNGhVK"
}

resource "upcloud_storage" "something01" {
  title = "something01"
  zone  = "us-chi1"
  size  = 25
  tier  = "maxiops"
}

resource "upcloud_server" "something01" {
  title    = "something01"
  hostname = "something01"
  zone     = "us-chi1"
  plan     = "1xCPU-1GB"
  metadata = true
  firewall = false

  template {
    storage = "Ubuntu Server 20.04 LTS (Focal Fossa)"
    size    = 25
    address = "virtio"
  }

  storage_devices {
    type = "disk"
    address = "virtio"
    storage = upcloud_storage.something01.id
  }

  network_interface {
    type                = "public"
    ip_address_family   = "IPv4"
    bootable            = false
    source_ip_filtering = true
  }

  network_interface {
    type                = "public"
    ip_address_family   = "IPv6"
    bootable            = false
    source_ip_filtering = true
  }

  network_interface {
    type                = "utility"
    ip_address_family   = "IPv4"
    bootable            = false
    source_ip_filtering = true
  }

  login {
    create_password = false
    keys            = [var.ssh_key_public]
  }
}
~ # UPCLOUD_USERNAME=<secret> UPCLOUD_PASSWORD=<secret> terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # upcloud_server.something01 will be created
  + resource "upcloud_server" "something01" {
      + cpu      = (known after apply)
      + firewall = false
      + hostname = "something01"
      + id       = (known after apply)
      + mem      = (known after apply)
      + metadata = true
      + plan     = "1xCPU-1GB"
      + title    = "something01"
      + zone     = "us-chi1"

      + login {
          + create_password   = false
          + keys              = [
              + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEldJlXojPrCK17MZK94hJam2Nhjwuj2wdFpZpqNGhVK",
            ]
          + password_delivery = "none"
        }

      + network_interface {
          + bootable            = false
          + ip_address          = (known after apply)
          + ip_address_family   = "IPv4"
          + ip_address_floating = (known after apply)
          + mac_address         = (known after apply)
          + network             = (known after apply)
          + source_ip_filtering = true
          + type                = "public"
        }
      + network_interface {
          + bootable            = false
          + ip_address          = (known after apply)
          + ip_address_family   = "IPv6"
          + ip_address_floating = (known after apply)
          + mac_address         = (known after apply)
          + network             = (known after apply)
          + source_ip_filtering = true
          + type                = "public"
        }
      + network_interface {
          + bootable            = false
          + ip_address          = (known after apply)
          + ip_address_family   = "IPv4"
          + ip_address_floating = (known after apply)
          + mac_address         = (known after apply)
          + network             = (known after apply)
          + source_ip_filtering = true
          + type                = "utility"
        }

      + storage_devices {
          + address = "virtio"
          + storage = (known after apply)
          + type    = "disk"
        }

      + template {
          + address = "virtio"
          + id      = (known after apply)
          + size    = 25
          + storage = "Ubuntu Server 20.04 LTS (Focal Fossa)"
          + tier    = (known after apply)
          + title   = (known after apply)
        }
    }

  # upcloud_storage.something01 will be created
  + resource "upcloud_storage" "something01" {
      + id    = (known after apply)
      + size  = 25
      + tier  = "maxiops"
      + title = "something01"
      + zone  = "us-chi1"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

upcloud_storage.something01: Creating...
upcloud_storage.something01: Still creating... [10s elapsed]
upcloud_storage.something01: Creation complete after 17s [id=019d9cba-7e26-4ff6-8d57-6b9d23f320be]
upcloud_server.something01: Creating...
upcloud_server.something01: Still creating... [10s elapsed]
upcloud_server.something01: Still creating... [20s elapsed]
upcloud_server.something01: Still creating... [30s elapsed]
upcloud_server.something01: Still creating... [40s elapsed]
upcloud_server.something01: Still creating... [50s elapsed]
upcloud_server.something01: Creation complete after 56s [id=008327d2-8608-4c26-bf37-76cc2ad813e4]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
~ # UPCLOUD_USERNAME=<secret> UPCLOUD_PASSWORD=<secret> terraform plan
upcloud_storage.something01: Refreshing state... [id=019d9cba-7e26-4ff6-8d57-6b9d23f320be]
upcloud_server.something01: Refreshing state... [id=008327d2-8608-4c26-bf37-76cc2ad813e4]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
~ # 

A bit stumped by this now, I'll try to dig deeper.

I'll check the cloning and get back to you on that 😄

[veqryn]

It shouldn't matter, but I am running all this from inside WSL2 (Ubuntu Linux on Windows 10 Pro).
Can you also try running it using the authentication for a Sub-Account-User, who has API access but does NOT have web control panel access? I have MFA setup on my main user.

[Darep]

Also, separately, how to create a storage clone of a public template (ie: Ubuntu 20.04)? I get error: Cloning of public templates is not allowed. (STORAGE_TYPE_ILLEGAL) when I use clone { id = "01000000-0000-4000-8000-000030200200" }

This is intentional and working as intended: you cannot clone public templates as they have custom, special initialization logic (like networking stuff) that needs to be run by a server. You can create a server from the Ubuntu 20.04 template, shut it down immediately, clone that as a custom template and use your custom template 😊

Can you also try running it using the authentication for a Sub-Account-User, who has API access but does NOT have web control panel access?

Good idea. Worked ok for me without web control panel access…

[veqryn]

Ok, so if you can't clone a public template, can you please explain or show how to create, in terraform, a server resource that uses a single defined storage resource, and it starts up with Ubuntu 20.04?
The config I posted last ends up creating 2 storage disks, which was not my intention.

[Darep]

Are you using, or did you use ”tags”/”tag” at some point? They have some known problems
with subaccounts; namely, only main account can do things with tags, subaccounts cannot.

[veqryn]

Yes, I was adding tags on the server. I deleted that from my examples as it seemed unimportant, lol 💩 .

resource "upcloud_server" "something01" {
  // ... above stuff ...

  tags = [
    var.environment,
    var.automation,
    "gitlocation/something/upcloud/terraform",
  ]
}

If that is truly the problem, then I think the answer is to give an option for sub-account-user access to "All" tags, just like you have for servers, storage, and networking.
I should be able to do everything with terraform and the api using a sub-account-user, especially since doing so with my main user is blocked with MFA active.

[Darep]

Ahh, yes, so the tags are causing the weird problems 😄 UpCloud uses tags primarily for access control, so using them as ”labels” can cause problems that seem irrelevant, hehe. I’d suggest not using tags for now. We are working on a fix for this but timetable is open.

As to the cloning of Ubuntu, i’m afraid it doesn’t make sense to do that in terraform as the process doesn’t conform to the ”idea” of terraform. I’d suggest simply doing it via the Hub once:

1. create a server with Ubuntu 20.04 at hub.upcloud.com
2. Shutdown that server
3. Go to Storages and click on the ”templatize” button on the newly created storage, name the template something like ”custom ubuntu 20.04” and use its uuid in the clone
4. Delete the server and its storage

[veqryn]

Ok, I will ignore tags for now.

Is cloning doesn't make sense, is there another way to accomplish what I wish, without having to manually do anything through the web console?

I should be able to create a single server resource and a single attached storage resource, and start the server with Ubuntu 20.04, all within terraform. I am able to do this on all other cloud providers that I've tried so far.

[Darep]

Actually I just remembered we have Packer! I'd suggest using Packer to create a custom Ubuntu 20.04 template in a more "Terraform-y" way, the template should be more stable than our public template & you can have libs/apps that you might need in the template: https://github.com/UpCloudLtd/packer-plugin-upcloud and https://upcloud.com/community/tutorials/upcloud-packer-builder/

Replying to the question about this in Terraform: if you provide the template {} -block to the server, as you've done in your examples above, it will create 1 storage with Ubuntu 20.04 for that server. But it won't be a separate resource in the Terraform file unfortunately, it will be a nested resource inside the server. This is a limitation due to the way how UpCloud and its templates work + how Terraform wants things to work. So a separate storage resource cannot be currently used like that atm.

[veqryn]

I'll look into packer, but I do think this would be a useful and simple feature to have. (People should be able to get up and running without having to look into using packer.)
Do you want me to make a separate github issue as a feature request? Or do you want to rename this one?

The feature request would be that there should be a way to have the template on a server resource create the storage as a specific storage resource in terraform, or alternatively, to have there be a way to base a storage resource on a template.

Separately, I can keep this issue open until the problems with tags and sub-account-users are resolved.

Edit: I have no interest in packer. I run everything in docker containers. I just want a basic stable image to boot with, provided by the cloud provider.

[Darep]

Please do create a new issue for the template on a server 👍🙂 Makes things a bit easier to digest

[kidmis]

Hi, any progress/updates here?
I've faced with the same problem - sub-accounts aren't allowed to maintain tags. In general if account is allowed to create resource - it have to be able create or attach the tag. Could you explain why it's not permitted in UpCloud?

[kangasta]

Hello! No new updates on allowing subaccounts to manage tags, as those are used to manage access to servers instead of labeling them. However, we have added labels to servers (and other resources) that can be used to label your resources also from sub-accounts.