Guardrails for tagging

Knowing who created a resource, and when, can save precious minutes during an incident. But it's notoriously difficult to enforce the necessary tag discipline. That leaves the cloud team in the unenviable position of nagging application teams to assign tags like created_by and created_time to the resources they create.

Here's how to use Turbot Guardrails to automate tagging and relieve that pain.

Get it done with Turbot Guardrails

Turbot Guardrails watches your environment in realtime, and delivers notifications of all changes to resources. The created_by value is stored in the notifications table's actor object, and the created_time value is in the turbot object. Here's a query to extract these values from the two objects, using a notifications filter.

And here is a template for a calculated policy that uses the query, and can be applied to any resource type.

We identify the creator by selecting items[0], the first CMDB activity notification for this resource. You can use the same query and template for any taggable resource in AWS, Azure and GCP. If you're using the template for GCP Labels, though, you may need to convert your variables to be GCP-Label-friendly — GCP has pesky label requirements.

We can tweak the tagging template to convert to lowercase and replace unapproved characters:

Make it happen!

See for yourself how calculated policies give you tagging superpowers. The code examples above are available as a Terraform template in the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!