Tags in Turbot

Tags allow users and administrators to label various Turbot resources. Using a variety of Turbot tagging policies, organizations can create a wide range of tagging rules, implementing both static and dynamic tagging restrictions.

At a high level, Turbot supports tagging of both Turbot resources, such as a folder, and Cloud Provider resources, such as an Azure Subscription or AWS EC2 instance. Tags can be set on Turbot resources by navigating in the UI to the CMDB entry for said resource and using the Tags section to add any desired tags. Cloud resources, on the other hand, have their tags configured through a collection of policies.

Tagging Cloud Resources

For any cloud resource that can be tagged, an associated policy in Turbot exists called Cloud Provider > Service > Resource > Tags. For example, if an administrator wanted to enforce tags on an AWS EC2 instance, the policy would become AWS > EC2 > Instance > Tags. This set of policies is the driving mechanism to determine if tags should be checked for violations by Turbot, and if action should be taken when a resource is found to not have the correct set of tags.

Tagging Templates

Tagging templates allow flexibility in assigning tags for various resources across a wide number of accounts. A policy will check all resources within the scope for the correct tags. If a tag exists but should not, it is removed. Tags that do not exist but should will be added by Turbot.

A basic tagging template is a YAML list with static values. Consider the policy AWS > EC2 > Instance > Tags > Template. In this example, instances are required to have a Cost center, Environment, and Account Owner tags. These tags do not change throughout the account, and thus the policy can be set at the folder level of which the AWS account is a child of (recommended) or on the AWS account within Turbot.

- Cost Center: "Security"
- Environment: "Dev"
- Account Owner: "John Doe"

If the policy AWS > EC2 > Instance > Tags is set to Enforce: Set tags, Turbot will take action on any EC2 instance without the required set of tags.

Dynamic Tagging

Using the tagging template example above, it becomes trivial to enforce a set of tags on a variety of resources. However, many organizations have more complex tagging requirements, such as not only ensuring that AWS IAM users have an email tag, but also validating that the tag is in fact an email.

Continuing to use the above example, the AWS > EC2 > Instance > Tags > Template in the new policy view has the option to Switch to calculated mode. The policy window then changes to allow users to write custom Calculated Policies.

Examples

For all the examples, use the following query in the calculated policy, using AWS > EC2 > Instance > Tags > Template:

{
  resource {
    turbot {
      tags
    }
  }
}

Alarm if key does not exist

If the key cost_center does not exist, output cost_center:missing_tag. Else, simply output a blank array. Turbot will alarm if the tag is not correct.

Template:

{%- if 'cost_center' not in $.resource.turbot.tags -%} # Check for the key cost_center
- cost_center: 'missing_tags'
{%- else -%}
[]
{%- endif -%}

Alarm if key:value pair does not exist

If the key:value pair cost_center:Security does not exist, output cost_center:Security. Else, simply output a blank array. Turbot will alarm if the tag is not correct.

Template:

{%- if 'costcenter' not in $.resource.turbot.tags-%} # Check for the key cost_center
- cost_center: 'missing_tags'
{%- elif '__MissingTag__' != $.resource.turbot.tags.costcenter  -%} # Check for the value of key cost_center
- cost_center: 'missing_tags'
{%- else -%}
[]
{%- endif -%}