[Turbot On] Tagging with Context

Automate application of resource tags from CMDB metadata.

Tagging is a crucial component for cloud operations, security and compliance. The most common tagging methodologies rely on owner-assigned resource tags to add external context to resources; however, additional deep context can be added to resources via automation.

This week we will look at how to “level up” your tagging game using automation and additional context from the Turbot CMDB

Traditional Workflow

Quick and transparent visibility to resource metadata can save precious minutes during an incident, but compliance from application teams to create and update tags is notoriously difficult to enforce. This leaves the cloud team in the unenviable position of nagging application teams to complete tagging of their resources.

For information that is dynamic, the problem is even more difficult. We don’t recommend trying to implement tagging standards for dynamic data unless you are using automation to implement it.

Get it done with Turbot

Turbot’s tagging controls are consistent across AWS, Azure and GCP resources. Furthermore, all resource metadata is stored in Turbot’s cloud scale CMDB and updated in real-time as configurations change.  Any detailed information in the CMDB can be leveraged for your resource tagging templates. For example, an AWS EC2 instance has over 100 fields that could be used in tag templates:

To demonstrate the approach we will use a Turbot calculated policy to tag our EC2 instances with their corresponding ImageId, Instance Type, SubnetId and VpcID:

First, set the calculated policy query:

{
  instance {
    ImageId
    InstanceType
    SubnetId
    VpcId
  }
}

Then, the calculated policy output template:

Image: "{{ $.instance.ImageId }}"
Type: "{{ $.instance.InstanceType }}"
Subnet: "{{ $.instance.SubnetId }}"
VPC: "{{ $.instance.VpcId }}"

Finally, set a standard policy to enforce the Tag control:

The example above can easily be adjusted for any resource that can be tagged:

  • The tagging controls and templates are always found as a subset of the resource e.g.: `{Cloud Provider} > {Service} > {Resource} > Tags > Template`

  • The naming and functions are consistent across all cloud providers & resources.

  • In addition, whenever the underlying configuration changes, Turbot will update the tags with new correct values.

Setting the configuration via Turbot’s Terraform provider is just as easy:

After setting this policy, Turbot will identify all resources that do not have the tags applied correctly, and then handle their remediation (i.e. set the tags).

If you are not yet ready to enforce remediation, you can still assess (and get alerts for) what resources do not have matching tags by changing the policy setting from `Enforce: Tags are correct `to `Check: Tags are correct`.

Make it happen

See for yourself how easy it is to manage your tagging configurations across your cloud resources. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!

Cheers,

Bob