Tags in Guardrails
Tags are a fundamental concept for many organizations. Identification of cloud resources across many accounts is trivial, but only if tagging processes are in place and understood by users. With Guardrails, we can enforce tags on various resource types. This includes, but is not limited to, checking for the following scenarios:
- Ensuring all resources have at least one tag.
- Ensuring all tags are lower (or upper) case to allow for automation.
- Specific keys must exist.
- Specific keys AND values must exist.
Guardrails can both check and remediate resources that do not have compliant tags. Metadata about the resource stored in CMDB or information from a Guardrails File can be referenced when checking and applying tags.
If you are not familiar with Calculated Policies, check out the Calculated Policies FAQ as well as our 7 minute lab.
Tagging Cloud Resources
For any cloud resource that can be tagged, an associated policy in Guardrails exists (note that tags are called "Labels" in Google Cloud):
AWS > Service > Resource > Tags
Azure > Service > Resource > Tags
GCP > Service > Resource > Labels
For example, if an administrator wanted to enforce tags on an AWS EC2 instance,
the policy would become AWS > EC2 > Instance > Tags
. This set of policies is
the driving mechanism to determine if tags should be checked for violations by
Guardrails, and if action should be taken when a resource is found to not have the
correct set of tags.
Tag Value Reserved Strings
Guardrails uses tag values of null
and undefined
as indicators that a tag key
should be removed. If a user sets these reserved keywords as tag values, in some
cases this can result in unintentional tag key removal. For this to happen, the
following conditions must be met:
- Tags policy is set to
Enforce
. - The tag key most be specified in the Tags Template policy.
- The tag value set by the user is
null
orundefined
. If the tag keys aren't specified in the template, then Guardrails will ignore them.
Tagging Templates
Tagging templates allow flexibility in assigning tags for various resources across a wide number of accounts. A policy will check all resources within the scope for the correct tags. If a tag exists but should not, it is removed. Tags that do not exist but should will be added by Guardrails.
A basic tagging template is a YAML list with static values. Consider the policy
AWS > EC2 > Instance > Tags > Template
. In this example, instances are
required to have a Cost Center
, Environment
, and Account Owner
tags. These
tags do not change throughout the account, and thus the policy can be set at the
folder level of which the AWS account is a child of (recommended) or on the AWS
account within Guardrails.
- Cost Center: "Security"- Environment: "Dev"- Account Owner: "John Doe"
If the policy AWS > EC2 > Instance > Tags
is set to Enforce: Set tags
,
Guardrails will take action on any EC2 instance without the required set of tags.
Add, Update or Remove Tags using Tagging Templates
Adding, updating or removing tags can be done in a straightforward way. The tags template asserts which tags that should or should not be set on the resource. NOTE: If a resource has tags that are not described in the Tags Template, then Guardrails will ignore those tags. Only tags defined in the template are processed.
Add
To add a new tag, specify it in the template. If the tag already exists on the resource, then Guardrails will update that tag to the specified value.
- SomeTag: ReallyImportantTagValueV1
Remove Tag
To remove a tag, set the value to null
.
- SomeTag: null
Update Tag Value
Updating a tag value on a resource is done by updating the tag value in the tags template. The approach is the same as adding a new tag.
- SomeTag: ReallyImportantTagValueV2
Update Tag Key
To change a tag key, one must destroy the old tag then create a new one. Use the approach described in "Remove Tag" to proceed.
- SomeTag: null- SomeNewTag: NewReallyImportantTagValue
Dynamic Tagging
Using the tagging template example above, it becomes trivial to enforce a set of tags on a variety of resources. However, many organizations have more complex tagging requirements, such as not only ensuring that AWS IAM users have an email tag, but also validating that the tag is in fact an email.
Continuing to use the above example, the
AWS > EC2 > Instance > Tags > Template
in the new policy view has the option
to Switch to calculated mode
. The policy window then changes to allow users to
write custom Calculated Policies.
Examples
For all the examples, use the following query in the calculated policy, using
AWS > EC2 > Instance > Tags > Template
:
{ resource { turbot { tags } }}
Alarm if key does not exist
If the key cost_center
does not exist, output cost_center
:missing_tag
.
Else, simply output a blank array. Guardrails will alarm if the tag is not correct.
Template:
{%- if 'cost_center' not in $.resource.turbot.tags -%} {# Check for the key cost_center #}- cost_center: 'missing_tags'{%- else -%}[]{%- endif -%}
Alarm if key:value pair does not exist
If the key:value pair cost_center
:Security
does not exist, output
cost_center
:Security
. Else, simply output a blank array. Guardrails will alarm
if the tag is not correct.
Template:
{%- if 'costcenter' not in $.resource.turbot.tags-%} {# Check for the key cost_center #}- cost_center: 'Security'{%- elif 'Security' != $.resource.turbot.tags.costcenter -%} {# Check for the value of key cost_center #}- cost_center: 'Security'{%- else -%}[]{%- endif -%}
Alarm if a Resource has no Tags
A simple use case for Guardrails tagging controls is to check resources for the existence of tags.
Template:
{# Checks if there are any tags #}{% if $.resource.turbot.tags | length == 0 -%}"tag_compliance": "untagged_resource" {# temp placeholder to mark it untagged #}{% else -%}[] {# if there are tags, do nothing #}{%- endif %}
If there are tags, the template policy returns a blank array ([]
). If there
are no tags, the tagging control will alarm saying that a new tag must be added.