How To

Tagging with context

Automate application of resource tags from CMDB metadata.

Bob Tordella
5 min. read - May 18, 2021
Automate application of resource tags from CMDB metadata.

Tagging is a crucial component for cloud operations, security and compliance. The most common tagging methodologies rely on owner-assigned resource tags to add external context to resources; however, additional deep context can be added to resources via automation.

This post looks at how to “level up” your tagging game using automation and additional context from the Turbot Guardrails CMDB.

Traditional Workflow

Quick and transparent visibility to resource metadata can save precious minutes during an incident, but compliance from application teams to create and update tags is notoriously difficult to enforce. This leaves the cloud team in the unenviable position of nagging application teams to complete tagging of their resources.

For information that is dynamic, the problem is even more difficult. We don’t recommend trying to implement tagging standards for dynamic data unless you are using automation to implement it.

Get it done with Turbot Guardrails

Turbot Guardrails tagging controls are consistent across AWS, Azure and GCP resources. Furthermore, all resource metadata is stored in Turbot Guardrails cloud scale CMDB and updated in real-time as configurations change. Any detailed information in the CMDB can be leveraged for your resource tagging templates. For example, an AWS EC2 instance has over 100 fields that could be used in tag templates:

To demonstrate the approach we will use a Turbot Guardrails calculated policy to tag our EC2 instances with their corresponding ImageId, Instance Type, SubnetId and VpcID:

First, set the calculated policy query:

{
instance {
ImageId
InstanceType
SubnetId
VpcId
}
}

Then, the calculated policy output template:

Image: "{{ $.instance.ImageId }}"
Type: "{{ $.instance.InstanceType }}"
Subnet: "{{ $.instance.SubnetId }}"
VPC: "{{ $.instance.VpcId }}"

Finally, set a standard policy to enforce the Tag control:

The example above can easily be adjusted for any resource that can be tagged:

  • The tagging controls and templates are always found as a subset of the resource e.g.: {Cloud Provider} > {Service} > {Resource} > Tags > Template

  • The naming and functions are consistent across all cloud providers & resources.

  • In addition, whenever the underlying configuration changes, Turbot Guardrails will update the tags with new correct values.

Setting the configuration via the Turbot Guardrails Terraform Provider is just as easy:

After setting this policy, Turbot Guardrails will identify all resources that do not have the tags applied correctly, and then handle their remediation (i.e. set the tags).

If you are not yet ready to enforce remediation, you can still assess (and get alerts for) what resources do not have matching tags by changing the policy setting from Enforce: Tags are correct to Check: Tags are correct.

Make it happen!

See for yourself how easy it is to manage your tagging configurations across your cloud resources. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!