Join us

Cloud Resource Tagging with Resoto

@scapecast ・ Feb 20,2023

#GCP   #was   #tagging   #tags   #cloud  

We just published an overhaul of our blog post "Cloud Tagging with Resoto", and if you're looking to shine a light into the black box called cloud, then this one's for you. 

In the post, we show how to maintain good tag hygiene and make tag maintenance easy. In our example, we consider a scenario where an internal policy demands that all AWS S3 buckets and EC2 volumes carry a tag with key

costcenter

and value corresponding to a department or project. Let's assume the case-sensitive tag is sometimes misspelled. Three tactics:

 

  1. Check

  2. Fix

  3. Prevent

 

For "Check", we find all resources that fall under the policy, and check which ones and how many of them have a typo. This search will produce all EC2 volumes and S3 buckets:

> search is(aws_ec2_volume) or is(aws_s3_bucket) | count
​total matched: 314159
​total unmatched: 0

As I don't have an idea of all the possible typos, I search for all tags of all resources, and count how often they occur.

> search is(aws_ec2_volume) or is(aws_s3_bucket) | jq '.tags | keys | .[] | {name:.}' | flatten | count /name
​Name: 123
​CostCenter: 42331
​costcenter: 271828
​name: 359632
​owner: 389374

For "Fix", I add a new tag to resources, taking the value from the existing tag:

> search is(aws_ec2_volume) or is(aws_s3_bucket) and tags.CostCenter != null | tag update costcenter {tags.CostCenter}

Then I delete the incorrect tag.

> search is(aws_ec2_volume) or is(aws_s3_bucket) and tags.CostCenter != null | tag delete CostCenter

Quick double-check if the numbers now add up:

> search is(aws_ec2_volume) or is(aws_s3_bucket) and tags.costcenter != null | count
​total matched: 314159
​total unmatched: 0

They do - great!

For "Prevent", it's time to set up automation so I don't have to do this manually anymore. The above steps are all exploratory. But I'd rather let the machines do the work, so I schedule an hourly job:

> jobs add --id repair_tags --wait-for-event collect_done: search is(aws_ec2_volume) or is(aws_s3_bucket) and tags.CostCenter != null | tag update costcenter {tags.CostCenter}

Finally, I do want our engineers to know. So I set up an alert when an incorrect tag pops up, in either Discord or Slack.

> jobs add --id notify_missing_tags --wait-for-event post_collect 'search is(aws_ec2_volume) or is(aws_s3_bucket) and tags.costcenter = null | discord title="Resources missing `costcenter` tag"
webhook="https://discord.com/api/webhooks/..."'

That's it! 

 

Visit link (some.engineering)

Share with your friends and followers

Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other readers and claim your FAUN account now!

Publish your first story!
Avatar

Lars Kamp

@scapecast
Co-founder at Some Engineering Inc. - we build Resoto, an open source cloud asset inventory.
User Popularity
25

Influence

1k

Total Hits

0

Posts

Mentioned tools
Amazon S3 Amazon EC2
Join faun
Read, Learn, Know, Teach

Hand curated newsletters for Developers, private Slack with like minded people, podcasts, job offers, news and more!