Resource tagging can be used to track and manage assets, security, and compliance. This week we will look at some tagging best practices and see how Turbot can help enforce them.

Traditional Workflow

Quick and transparent visibility to who created a resource and when it was created can save precious minutes during an incident, but compliance to this is notoriously difficult to enforce. This leaves the cloud team in the unenviable position of nagging application teams to complete tagging of their resources.

Get it done with Turbot

In Turbot, the information on who created a resource is stored in the notifications table in the “actor” object, while the “turbot” object includes timestamp information. Therefore we can create a calculated policy to bring in the Actor / Creator information along with the timestamp as input into a calculated policy.

How to do it

Calculated Policy Query:

Calculated Policy Template:

Using `items[0]` we select the first activity notification from the CMDB about this resource, this allows us to identify the original creator of the resource. This example works well for any taggable resource in AWS, Azure and GCP with the same query and template.  If you are using this template for GCP Labels, you may need to convert your variables to be GCP Label friendly -- GCP has pesky label requirements.

We can tweak the tagging template to convert to lowercase and replace unapproved characters:

Make it happen

See for yourself how calculated policies give you tagging superpowers; the code examples above are available as a Terraform template in the Turbot Development Kit.  If you need any assistance getting this configured in your environment please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!

Cheers,

Bob