Create and implement a cloud resource tagging strategy

Managing thousands of cloud resources across regions, environments, and teams is complex. Tags are key-value pairs that help you manage, identify, organize, locate, and filter resources. It is important to have a clear, well-defined cloud resource tagging strategy. You can also use tags to track cost allocation and usage, and automate resource management tasks.

AWS, Azure, and IBM maintain best practices and strategies for tagging your cloud resources. Follow these best practices when creating your tagging strategy. You can apply these concepts to other infrastructure providers.

You can implement your tagging strategy using infrastructure as code (IaC) and enforce compliance with policy as code to prevent deploying resources that don't meet your tagging requirements.

When you implement a tagging strategy, you gain the following benefits:

• Easier resource tracking: Find resources by environment, owner, or other custom tag. For example, quickly find all servers in the 'dev' environment.
• Granular cost allocation: Track costs by project, team, or application.
• Tag-based resource automation: Automate resource management tasks based on tags, such as starting or stopping instances.
• Default resource compliance: Enforce tagging policies to ensure all resources are tagged correctly.

How to deploy tags using infrastructure as code

Consistent implementation of your tagging strategy helps you track infrastructure costs, manage resources, and ensure compliance. When you use an inconsistent tagging strategy, such as manual tagging, you may end up with resources with incorrect or missing tags.

When you manage your infrastructure with Terraform, you can define tags within your configuration. Terraform will automatically apply these tags to all resources it creates.

The following creates an AWS EC2 instance and adds several tags to the resource:

resource "aws_instance" "web_server" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.micro"
  
  tags = {
    Name        = "web-server-prod"
    Environment = "production"
    Owner       = "platform-team"
    CostCenter  = "engineering"
    Application = "website"
  }
}

The AWS and GCP Terraform providers let you add default tags to all resources they create, making it easier to implement a consistent tagging strategy across the resources you manage with Terraform. Default tags ensure that all resources have the minimum required tags but you can override these default tags on a per-resource basis.

The following is an example using default tags:

provider "aws" {
  profile = "default"
  region  = "us-east-2"

  default_tags {
    tags = {
      Environment     = "Test"
      Service         = "Payment API"
    }
  }
}

HashiCorp resources

• AWS provider resource tagging
• AWS default tags
• GCP default tags
• Learn how to configure default tags for AWS resources

Enforce tagging strategy policies

Once you define and implement your tagging strategy using infrastructure as code, you can enforce it to prevent the deployment of resources that do not comply.

Use the Terraform validation block

You can use the Terraform validation block to enforce tagging policies. The validation block allows you to define custom validation rules for input variables. You can use the validation block to ensure that the resources you tag follow your tagging strategy.

The following is an example of a Terraform validation block that ensures the environment tag is set to either dev, staging, or prod:

variable "environment" {
  type        = string
  description = "Environment name for resource tagging"
  
  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "Environment must be one of: dev, staging, prod."
  }
}

If you create a resource with an invalid environment tag, Terraform returns an error and prevents the deployment.

The following tag passes the validation:

environment = "prod"

The following tag fails the validation due to not meeting the condition of being dev, staging, or prod:

environment = "testing"

Use policy as code

For more advanced enforcement of your tagging strategy, you can use policy as code tools such as HashiCorp Sentinel or the Open Policy Agent (OPA) to create policies that enforce tagging rules. You can integrate these policies into your CI/CD pipelines or with HCP Terraform to ensure that all resources comply with your tagging strategy before deployment.

The following is an example of a Pass or Fail Sentinel policy that ensures that all AWS EC2 instances have a Name tag:

import "tfplan/v2" as tfplan

# Get all AWS instances from all modules
ec2_instances = filter tfplan.resource_changes as _, rc {
    rc.type is "aws_instance" and
        (rc.change.actions contains "create" or rc.change.actions is ["update"])
}

# Mandatory Instance Tags
mandatory_tags = [
    "Name",
]

# Rule to enforce "Name" tag on all instances
mandatory_instance_tags = rule {
    all ec2_instances as _, instance {
        all mandatory_tags as mt {
            instance.change.after.tags contains mt
        }
    }
}

main = rule {
    mandatory_instance_tags else true
}

You can write similar policies with OPA and HCP Terraform. Refer to the following resources for more information.

HashiCorp resources

• Read about the Terraform validation block
• Write a Sentinel policy for a Terraform deployment to ensure that the EC2 instance has a Name tag.
• Learn how to define Open Policy Agent policies for HCP Terraform
• HCP Terraform policy enforcement overview
• Get started with Sentinel

External resources

• Use OPA to write policies ensuring all resources have tags before you create them.

Next steps

In this section of Manage cost, you learned how to tag resources using infrastructure as code and enforce tagging policies. Tag resources is part of the Optimize systems pillar.

To learn more about how to manage our resources, visit the following resources:

• Implement data management policies
• Decommission resources