Take back control of your tags with Tailwarden - Part 1
A three part series where we explore how to understand, remediate and monitor your cloud resource tags.
Having a strong and consistent cloud tagging strategy is one of the basic building blocks needed for any organization that is seriously trying to effectively manage and thrive in the cloud. But even a great strategy if not accompanied by excellent execution, won’t be very effective. That’s why I want to take a practical approach to exploring some Tailwarden features that can aid in effective tagging management. In the following three articles, I will do my best to show how a well-executed strategy can make all the difference in your cloud management efforts.
A tag is one of the easiest cloud concepts to explain, a key/value pair attached to a cloud resource holding any information you want. A well-defined tagging strategy that's robust yet flexible, well-implemented, auditable, and future-proof shouldn’t be much more difficult. However, it starts getting complicated if you don’t have clear answers to questions like, who is in charge of the tagging strategy? When should tags be attached to a resource? Are there any organization-wide mandatory tags? Can team-level tags be added? Are tags case-sensitive? Are there any enforcement policies in place?
Having a tagging strategy isn’t optional. If you have untagged resources in your environment, it doesn’t mean you lack a tagging strategy it just means your strategy leaves a lot to be desired. Think of it this way, just because your car doesn’t have any license plates on the bumpers, doesn’t mean it’s not registered to you. Once this is internalized we can start challenging some assumptions, and you can start focusing on consistently executing, remediating, and evolving the tagging strategy.
💡 Don’t have a Tailwarden account yet? Book a demo here and open your free account.
The Downsides of a Bad Strategy
Unless your strategy is rock solid you can never be sure you are not leaving money on the table
If tags are sparsely implemented or not carefully maintained across teams and departments. When you gather infrastructure cost metrics from aggregation tools like AWS Cost Explorer or Tailwarden you can never be sure to have 100% coverage. By having inconsistent tags, crucial resources might be left out of budgets but you can be sure that they will appear in the cloud provider's monthly bills.
Unless you have an owner you don’t have a strategy.
A tagging strategy is not an organic process that self-preserves and improves automatically. It needs an individual or team to take responsibility for it and commit to maintaining and ensuring enforcement across the board. If not, it can lead to being a hindrance to future management efforts and a huge missed opportunity. What does this mean in practice? Apart from every resource having an Owner or Team tag, there should be a person or team who is responsible for company-wide tagging compliance, making sure all Owners and all Teams are in alignment with the larger strategy.
It’s impossible to have a cost-conscious culture at your organization without hard and reliable data.
A consistent tagging strategy is one of the main ingredients necessary to be able to consistently generate reliable, granular, and reproducible resource usage data and cloud transparency metrics. If one of your objectives is to nurture a culture of cost consciousness and resource safeguarding, it has to start with a reliable source of truth.
I assume you already have a tagging strategy in place for better or worse and you are not starting a green-field project. In the upcoming blog posts, we will look at practical advice that can be applied to your organization immediately. We will break down our exploration into three execution phases, starting by Evaluating your situation, then Remediating the Situation, and finally, Ensuring consistency over time as well as showing how some Tailwarden features can be utilized to make managing your cloud tags much easier.
Understand your current implementation
Who owns and executes the tagging strategy?
This is a crucial question you have a clear answer to. Tags are useful at every level and since cloud providers can hold up to 50 or 60 tags per resource in some cases, individual contributors; should be encouraged to use custom tags that help them in their work. But there has to be an overarching cohesive system of communally agreed upon tags (a tagging strategy) that tools like Tailwardencan leverage to glean high-level, organizational insights. The core organization tagging requirements have to be implemented top-down and monitored across namespace, account, and provider in a centralized manner.
Which tags are company-wide and mandatory?
There is no “silver bullet” industry standard tagging strategy, each company is different and need not copy what other companies do. Having said that, inside the organization itself, there must be no doubt at all about which tags must be applied company-wide and preferably at creation time.For example, some commonly used tag keys are:
- Team: To what squat does the resource belong?
- CostCenter: Whose budget does the resource fall into?
- Environment: Production, Staging, Sandbox, TestingAccount
- Service: Does this resource belong to a larger service cluster?
How consistently have the tags been applied?
Understandably as environments and teams scale, maintaining tagging compliance can become a difficult task. If you are using some sort of IaC tool you might be able to ensure compliance at creation time but how do you know tags weren’t edited or removed afterward? This is where some tooling can help.
Tags Audit feature
Once you connect your cloud accounts to Tailwarden your cloud resources will be automatically fetched, and along with them any tags attached to the resources will also automatically appear.
To inspect your currently implemented tags navigate to the tags audit widget, found in the main dashboard which displays the tag key and value, the number of instances of the tag as well as the stage coverage rate, which equates to the percentage of resources that have that particular tag attached.
Tailwarden distinguishes between two types of tags. Provider tags are created at the cloud provider level. Virtual tags on the other hand are tags created inside Tailwarden. The cloud provider is unaware of the existence of virtual tags but they can be very useful for you to extend business units, services, and apartments across multiple cloud accounts or even providers.
Tags audit gives you quick access to the resources and with just a couple of clicks, you can find them inside your cloud account.
The Tags Audit widget acts as the first line of defense to understand the current state of tagging in your environment. Quickly catch spelling mistakes, and repeated or underutilized tags.
What insights are readily available?
Along with the tags audit feature, gain further insight into your tags by applying specific filters to the resource inventory to get answers to questions like, do I have any untagged resources? Are all of the most expensive resources correctly tagged? Are all mission-critical resources tagged with all required tags?
Untagged Resources
The lowest-hanging fruit in trying to understand the current tagging implementation is to filter for all empty tags. In the example below all Untagged AWS resources which were created in the last 7 days will appear. Any resource that appears in this search will violate the tagging strategy and should be addressed.
Finding expensive critical resources
The specific tag filter combined with a Cost greater than 100 dollars filter shows 0 resources. Good news right? Are we sure that all costly resources have the current Environment:Prod tag? Or are they even tagged at all?
Remove the tag filter and compare the results, are there any costly resources that are untagged? If so, fix it.
Easily find missing tags
Filter specific categories like service or region and add the Specific tag / Doesn't exist to generate a list of all resources that are missing a key tag.
In this case, I have 232 IAM roles that don’t have an Owner tag attached to them. I have some tagging to do.
Save your most crucial filters as Custom Views
As you leverage tags to filter the inventory list, save the results as Custom Views. When you filter the inventory list by including tags you are effectively shining a light on deep dark and unvisited areas of your infrastructure you might have never seen before. Make sure you have quick access to your environment by saving a granular filter as a custom view to always have quick access to key infrastructure insights.
Alerts and filters can also be applied to custom views themselves but we will cover that in more detail in the blog posts to come.
As the cloud, in IT and business management in general, I would not be the first one to assert that an incredibly sophisticated tagging strategy isn’t worth very much unless it is executed diligently. Without regular checks and the right tools to ensure consistent implementation and prevent divergence, even the most intricate strategy can lose its effectiveness. When your implementation isn’t perfect, it’s time to remediate. An integral phase of effective tagging execution and also the topic of the upcoming blog post.