Automate your tagging strategy with Guardrails

Intelligent tagging automation can validate and correct tagging non-conformance, making your cloud tagging strategy seamless and accurate across all cloud providers.

Turbot Team
5 min. read - Oct 03, 2023
Intelligent tagging automation can validate and correct tagging non-conformance, making your cloud tagging strategy seamless and accurate across all cloud providers.

Tagging strategies evolve over time, and are affected by mergers, acquisitions and mistakes during deployment. These issues accumulate large amounts of technical debt, making it difficult for organizations to rely on tag metadata for audit, support and billing purposes.

Turbot Guardrails has an insanely powerful tagging automation solution that works across multiple cloud providers. Its event-driven architecture scales to monitor millions of cloud resources in real-time without the scanning limitations of other products. These features give you the same power and flexibility you would get from building your own tagging remediation code, without all of the deployment, monitoring and maintenance hassles that typically entails. Guardrails becomes an automated member of your cloud team that remediates and rectifies incorrect tag values in real-time based on rules you establish.

While context-aware tagging capabilities have been part of Turbot for years, we've been relentlessly improving (based on customer feedback) and making them easier to implement. Our recent updates introduce innovative solutions tailored for intricate tagging scenarios, empowered by our enhanced calculated policy engine.

Mispellings & TypOs

The bane of most tagging strategies are common misspellings and typos; Guardrails' helper functions can automatically fix tag keys and values that are misspelled. Guardrails' calculated policy feature now has a helper function named transformMap. This function uses two inputs, the current list of tags/values (as a map object) and a set of rules to process on them.

The list of current tags for each resource is saved when Guardrails discovers it, and every time the resource is updated after:

"cost_center": "scranton-1138",
"environment": "prd",
"owner": "dwigt"

Rules define how Guardrails will handle current and future misspellings and typos:

- dwigt
- dwihgt

After processing the tag values against the rules above, Guardrails would automatically correct "owner": "dwigt" to "owner": "dwight".

Harmonization of changes in tag standards over time

The same function can be used to update or replace tags matching a previous standard to match a new standard. We will start again with our current tag values:

"cost_center": "scranton-1138",
"environment": "prd",
"owner": "dwight"

This time our rules will focus on changing our old key cost_center to our new standard value costcenter to make it more compatible across cloud resources that don't support underscore. Also, we have standardized the environment tag to only accept the values ['production','development']:

- cost_center
replacementValue: undefined
- prd
- /prod.*/gi
- /dev.*/gi

After processing the rules the resulting tag values would be applied as:

"costcenter": "scranton-1138",
"environment": "production",
"owner": "dwight"

Automatically tagging who created a resource

When responding to an incident, time is of the essence. Knowing who created any given cloud resource enables operations teams to quickly reach out to the right individuals or teams, reducing Mean Time to Resolution (MTTR). Guardrail's now adds new createdBy and createTimestamp metadata to the Guardrails CMDB for every resource creation event. For each cloud provider we capture the IAM identity matching who created the resource from that provider's audit logging service:


  • userIdentity.arn: The full ARN of the identity that created the resource.


  • initiatedBy.userPrincipalName (Active Directory resources)
  • caller (Azure resources)


  • authenticationInfo.principalEmail

This metadata can then be used in your Guardrails tagging templates to apply the values directly onto the resource:

{% if $.resource.metadata.createdBy %}
- "creator": "{{ $.resource.metadata.createdBy }}"
{% endif %}
{% if $.resource.metadata.createTimestamp %}
- "createTimestamp": "{{ $.resource.metadata.createTimestamp }}"
{% endif %}

Context-aware tagging

It is often desireable to enhance or validate existing resource tags with data from other sources. Using a Turbot File we can import data from other systems and then use that data enhance or verify tags.

Input data from financial systems:

# Approved Cloud Cost Centers:
mgr: "David Wallace"
dept: "Corporate"
mgr: "Michael Scott"
dept: "Sales"
mgr: "Josh Porter"
dept: "Sales"

This data can then be used to validate and add additional metadata to existing resources using a calculated policy template:

{% approved_cc = $.resource.approved_cost_centers %}
{% cost_center = $.resource.tags['costcenter'] %}
{% if cost_center in approved_cc %}
- "validation": "Valid Cost Center"
- "department": "{{ approved_cc[cost_center]['dept'] }}"
- "owner": "{{ approved_cc[cost_center]['mgr'] }}"
{%- else -%}
- "validation": "Invalid Cost Center"
{%- endif -%}

After running our previous example through this logic our resulting tags would match the following:

"costcenter": "scranton-1138",
"environment": "production",
"owner": "Michael Scott",
"department": "Sales",
"validation": "Valid Cost Center"

Intelligent tagging made easy

With Guardrails' intelligent tagging, the chaos of manual tagging is tamed. Guardrails ensures consistent, policy-driven tags across all cloud resources, automatically capturing and applying contextual insights. Operational overhead is minimized as your automated rules detect and rectify non-compliant tags in real-time. No more manual fixes, no more back and forth incident management; just accurate, insightful, real-time metadata.

See it in action

Questions about Guardrails' tagging capabilities? Join our discussions in the #guardrails channel of our Slack community. We always value your feedback and look forward to hearing how your team leverages notifications!